What is the best way to extract data when my log h...

nunyabizness123 · ‎02-08-2017

How would I go about parsing out/extracting the field data for the following log format?

"fieldname1":"fieldvalue1","timestamp":"2017-02-07 14:19:54.166","ip_address":"3.3.3.3","user_id":"USER1"
"fieldname1":"fieldvalue1","timestamp":"2017-02-07 14:19:52.395","fieldname2":"fieldvalue2","user_id":"USER2"
"fieldname1":"fieldvalue1","timestamp":"2017-02-07 14:19:50.316","ip_address":"8.8.8.8","fieldname2":"fieldvalue2"

Not all lines of logs will contain all the same fields, but field names are constant. The fields are always comma separated and then in "field":"value" pairs. Currently, I have separate field extractions for each interesting field such as:

\"fieldname1\":\"(?P[a-zA-z]*)

Is this the right way to do this or is there an easier or more proper method?

aaraneta_splunk · ‎03-11-2017

@nunyabizness123 - Did the answer provided by karlbosanquet help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

karlbosanquet · ‎02-08-2017

Have you had a look at DELIMS in transforms.conf? Here is something that should work;

[comma_colon]
DELIMS = ",", ":"

What is the best way to extract data when my log has with comma separated fields and the field-value pairs are separated by a colon?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases